On Fri, 2015-12-11 at 16:53 +0000, Pavel Kogan wrote: > > ``` > $ sudo ./juniper-vpn.py --host pulse.example.com --user pavel.kogan > --stdin DSID=%DSID% openconnect --juniper %HOST% --cookie-on-stdin > --interface=tun0 > Password: > WARNING: Juniper Network Connect support is experimental. > It will probably be superseded by Junos Pulse support. > Attempting to connect to server 19X.XXX.XXX.XXX:443 > SSL negotiation with pulse.example.com > Connected to HTTPS on pulse.example.com > SSL negotiation with pulse.example.com > Connected to HTTPS on pulse.example.com > Connected tun0 as 10.XXX.XXX.XXX, using SSL > ESP session established with server > Server terminated connection (session expired) > Unknown error; exiting. > WARNING: Juniper Network Connect support is experimental. > It will probably be superseded by Junos Pulse support. > Attempting to connect to server 19X.XXX.XXX.XXX:443 > SSL negotiation with pulse.example.com > Connected to HTTPS on pulse.example.com > Got HTTP response: HTTP/1.1 302 Found > Unexpected 302 result from server > Creating SSL connection failed > Waiting 10... > ``` > The error then repeats until I Ctrl-C. That's odd. I assume you're using a fresh DSID cookie each time you connect? And it then kicks you off almost immediately, telling you 'session expired'? How long does it remain connected for? I wonder if this is a problem with tncc.py from the scripts you're using to authenticate. In some modes the host checker script is expected to keep running all the time you're connected to the VPN, but ISTR that isn't implemented in Russ's tncc.py. Can you try running the *real* one? OpenConnect has support for spawning it... do you actually need external scripts at all for authentication, in fact? Anything we can do in an external python script parsing the forms, we *should* be able to add to OpenConnect's own parsing hacks. -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5691 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20151214/d1e1564a/attachment.bin>
